rd_priv and NAT

Paul Moore paul.moore at centrify.com
Thu Jan 26 17:38:21 EST 2006

In the case where there is a NAT box between the client and the KDC
KRB_PRIV responses can be rejected becuase the s-address address check
in krb5_rd_priv_basic get upset (it beleives it sent the request to one
address but the KDC inserted a differnet one in the reply). Since the
message is encrypted the NAT box cannot mangle the addresses to make
them right (as it would do in many other protocols). My specific case is
a password change request which is carried in an exchange of PRIVs; but
this is a general issue. 
There is a config choice to control the optional inclusion of caddrs in
TG and AS exchanges but this is different. The inclusion of s-address in
the PRIV packet is not optional and the caddrs config choice does not
get looked at by the priv handling code.
Seems to me the only solution is to make the rd_priv s-address check
(and perhaps the r-address too) conditional. It could be made
conditional on the exisitng noaddresses config boolean or I could add a
new boolean. Of course there could be a more complex scheme saying 'it
is ok if address x claims to be address y' but that seems OTT

More information about the krbdev mailing list